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ABSTRACT 


Process  Algebra  forms  a  cornerstone  in  the  formal  methods  area  of  Computer 
Science.  Among  the  more  widely  used  approaches  is  Milner’s  Communication  and 
Concurrency  Systems  (CCS).  Recently  CCS  has  been  extended  by  Schmidt  and 
Bibighaus  through  the  introduction  of  Doubly  Labeled  Transition  Systems.  This 
framework  has  enhanced  the  model’s  ability  to  capture  security  and  availability 
properties.  In  this  thesis  we  reformulate,  simplify,  and  extend  Bibighaus’  work  using  a 
graph  theoretic  framework.  The  intent  is  that  this  abstract  mathematical  view  will  make 
the  results  more  accessible  and  stimulate  additional  research.  Existing  definitions  and 
theorems  are  redefined  and  proved  using  Labeled  and  Doubly  Labeled  Transition  Graphs 
(LTG  and  DLTG).  CCS  simulation  concepts  are  recast  as  graph  morphisms  and  the 
notion  of  abstraction  and  refinement  are  explained  through  the  use  of  graphs.  Bibighaus’ 
work  is  extended  by  showing  how  to  carry  out  non- atomic  DLTG  refinement,  and  by 
developing  a  form  of  graph  composition  involving  graph  refinements  that  share  a 
common  abstract  graph.  This  type  of  composition  is  proven  to  always  be  possible  with 
DLTG  refinements,  and  we  demonstrate  that  the  composite  graph  is  both  a  refinement  of 
the  abstract  graph,  and  an  abstract  graph  for  the  refinements  from  which  it  was  made. 
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I.  INTRODUCTION 


A.  PROBLEM  STATEMENT 

In  order  to  develop  high  assurance  software  under  the  Common  Criteria 
Certification  requirements  [1]  it  is  necessary  to  adopt  a  layered  development  approach. 
Formal  methods  are  frequently  used  in  this  process  because  they  provide  a  means  of 
developing  and  proving  that  an  abstract  model  of  a  system  is  secure.  This  model  is  then 
refined  until  a  concrete  implementation  is  achieved.  At  each  layer  of  the  development 
process,  one  is  able  to  assert  the  security  of  the  refinement  by  mapping  it  back  to  the 
abstract  model.  Unfortunately,  despite  this  systematic  development  approach,  it  still  is 
possible  that  the  concrete  system  contains  security  flaws  such  as  covert  channels. 

Recently  Bibighaus  [2]  and  others  have  introduced  Doubly  Labeled  Transition 
Systems,  and  have  demonstrated  how  this  model  is  able  to  guarantee  that  a  larger  set  of 
security  and  availability  properties  are  retained  throughout  the  refinement  process. 

The  purpose  of  this  thesis  is  twofold:  First,  we  restate  and  simplify  Bibighaus’ 
research  using  a  graph  theoretic  framework  that  is  more  accessible  and  widely  understood 
than  the  Prototype  Verification  System  (PVS)  environment  used  throughout  his 
dissertation.  Secondly,  we  address  the  following  question:  Given  an  abstract 
specification  and  two  different  refinements  of  that  specification,  is  it  possible  to  compose 
the  two  refinements  in  such  a  manner  as  to  create  a  new  refinement  that  captures  the 
properties  of  both  refinements  while  still  satisfying  the  abstract  specification? 

B.  MOTIVATION 

Bibighaus’  work  on  Doubly  Labeled  Transition  System  has  demonstrated  the 
model’s  potential  as  a  useful  tool  in  the  secure  software  development  process.  However, 
much  work  still  remains.  One  unanswered  question  is  how  to  go  about  composing  two 
refinements  of  the  same  abstract  specification.  This  question  is  relevant  because  it  is 
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conceivable  that  during  the  development  process,  two  different  refinements  are  created 
that  both  capture  desirable  aspects  of  a  system  and  hence  need  to  be  brought  together  to 
form  a  more  complete  refinement. 

By  presenting  Bibighaus’  work  using  a  graph  theoretic  framework  it  is  hoped  that 
we  can  make  his  results  accessible  to  a  wider  audience  and  stimulate  additional  research 
in  this  important  area  of  software  engineering. 

C.  METHODOLOGY 

This  research  is  conducted  using  graph  theory.  The  existing  Doubly  Labeled 
Transition  System  framework  utilized  by  Bibighaus  is  redefined  and  explained  in  graph 
theoretic  terms. 

D.  CONTRIBUTION 

This  thesis  makes  the  following  contributions. 

1.  We  explain  Labeled  and  Doubly  Labeled  Transition  Systems  using  a  graph 
theoretic  framework.  Existing  definitions  and  theorems  from  Bibihaus’  work 
are  redefined  and  proved  using  Labeled  and  Doubly  Labeled  Transition 
Graphs. 

2.  We  prove  that  edge  refinement  of  a  “Must”  edge  in  a  DLTG,  requires  that 
every  edge  of  the  graph  that  refined  that  edge  also  is  a  “Must”  edge. 

3.  We  develop  a  method  of  combining  Labeled  and  Doubly  Labeled  Transition 
Graph  refinements  that  share  a  subgraph  and  a  common  abstract  graph. 
Moreover,  we  show  that  this  process  is  always  possible  to  do  with  DLTGs. 

4.  We  prove  that  the  join  of  two  DLTG  refinements  that  share  a  common 
abstract  graph  is  a  refinement  of  the  abstract  graph,  and  that  the  new  graph 
also  serves  as  an  abstract  graph  for  the  two  refinements  used  to  create  it. 
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II.  PRELIMINARIES 


In  this  chapter  we  briefly  discuss  Process  Algebras,  and  then  introduce  Labeled 
Transition  Graphs.  This  is  the  fundamental  mathematical  structure  that  will  be  used 
throughout  this  thesis.  Finally,  we  discuss  equivalence  classes  of  Labeled  Transition 
Graphs,  and  show  how  this  concept  could  be  leveraged  when  trying  to  prove  equivalence 
between  different  graphs. 

A.  PROCESS  ALGEBRAS 

Process  Algebras  have  seen  wide  use  in  the  field  of  computer  science.  The  reason 
for  this  is  that  they  provide  a  mathematical  framework  necessary  to  formally  reason  about 
computer  behavior.  Process  Algebras  allow  us  to  model  computer  interactions, 
communications,  and  synchronizations  through  the  use  of  algebraic  rules  that  can  be 
manipulated  and  analyzed.  Among  the  most  popular  Process  Algebras  are 
Communicating  Sequential  Processes  (CSP)  developed  by  C.A.R.  Hoare  [3]  and  Robin 
Milner’s  Communication  and  Concurrency  Systems  (CCS)  [4].  Because  of  their  wide¬ 
spread  use,  both  of  these  frameworks  have  been  thoroughly  analyzed  and  proven  to  be 
Turing  complete.  CSP  is  a  Process  Algebra  which  uses  denotational  semantics.  Here  a 
process  is  represented  as  a  set  of  mathematical  objects.  CCS  on  the  other  hand,  uses 
operational  semantics.  In  this  system,  a  process  is  expressed  as  a  set  of  actions  that  can 
occur.  CCS  is  frequently  represented  using  Labeled  Transition  Systems.  A  Labeled 
Transition  System  consists  of  a  set  of  system  states  and  a  set  of  labeled  transitions 
between  these  states.  Recently  CCS  has  been  extended  by  Schmidt  [5]  and  Bibighaus  [2] 
to  support  Doubly  Labeled  Transition  Systems.  This  framework  has  enhanced  the 
model’s  ability  to  capture  safety  and  liveness  properties  in  computer  systems. 

In  this  thesis  we  focus  on  the  operational  semantic  approach  of  Bibighaus.  His 
work  was  partially  built  upon  that  of  Milner  [4]  and  made  extensive  use  of  Labeled 
Transition  Systems.  His  results  were  fonnulated  and  proven  using  the  Prototype 
Verification  System  (PVS)  theorem  proving  software  [6].  Our  goal  is  to  present  and 

extend  his  work  using  a  graph  theoretic  approach. 
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B.  LABELED  TRANSITION  GRAPHS  (LTG) 


In  this  chapter  we  introduce  Labeled  Transition  Graphs.  These  graphs  are  similar 
in  many  respects  to  Labeled  Transition  System.  [2]  However,  all  attributes  of  Labeled 
Transition  Systems  are  now  defined  using  graph  theory.  We  can  use  a  Labeled  Transition 
Graph  to  model  the  behavior  of  a  computer  system.  We  will  use  a  notation  that  makes 
this  connection  direct. 

Definition  2.1:  (Labeled  Transition  Graph)  Let  G  be  a  directed  graph  defined 

by  the  quadruple G  =  (V,A ,E,v0)  where 

V  is  a  set  of  vertices  called  states. 

A  is  a  set  of  labels  called  actions. 

E  is  the  set  of  labeled  edges  such  that  E  cF  x  AxV  . 
v0  is  a  distinguished  start  vertex  such  that  v0  eV . 

Then,  given  an  LTG  G,  where  p,q  <eVg,  a  e  Ag,  and  ( p,a,q )  e  EG  we  use  the  notation: 

a 

/?— ><7  o r  a(p)  =  q 

We  interpret  this  as  follows:  whenever  vertex  p  in  G  is  acted  upon  by  action  a ,  the 
system  will  transition  to  state  q  via  the  labeled  edge  (p,  a,  q). 

As  an  example,  consider  a  pushbutton  flashlight.  This  is,  in  fact,  a  simple 
electrical  machine  with  two  states.  The  flashlight  can  either  be  on  or  off,  and  the  action 
required  to  affect  a  change  in  state  is  a  simple  push  action.  We  can  model  this  machine 
using  a  Labeled  Transition  Graph  with  start  vertex  vOJJ  as: 

Flashlight  =  (VFlasflUght  =  {Vqg-,v0n},AFlashlight  =  {Push},EFlas hllght  =  { v0 -  >vo„,von  ”  ^vo#)»vo#) 


Push 


Figure  1.  LTG  Model  Of  Flashlight  Behavior 
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Labeled  Transition  Graphs  are  intuitive,  and  can  be  very  useful,  particularly  when 
attempting  to  model  more  complex  systems. 

Definition  2.2:  (A  directed  path  in  an  LTG)  Let  G  be  an  LTG,  v  be  a  vertex  in 
G,  and  77  and  z  be  functions  that  return  the  respective  head  or  tail  of  a  given  edge. 

Then  a  directed  path  pv  =  (^e0,el,e2,...,en)  ^  ej  e  EG  is  a  sequence  of  labeled  edges 

such  that:  r/(e0 )  =  v  a  V/  e  [O.fi-1]  r(el)  =  rj(ei+l) 

Note  that  in  Labeled  Transition  Graphs  we  allow  for  both  repeated  edges  and 
vertices  in  directed  paths.  The  directed  path  pv  is  a  subgraph  of  G  and  we  denote 
the  graph  G  restricted  to  pv  as  G\P  . 

Definition  2.3:  (The  set  of  directed  paths  in  an  LTG) 

Let  G  be  an  LTG  with  start  vertex  v0.  Then  P(G )  is  the  set  of  all  directed  paths 
of  G  starting  at  v0 . 

1.  Traces 

In  Process  Algebras  we  often  would  like  to  compare  systems.  One  way  to  do  this 
is  by  comparing  the  sequence  of  actions  that  different  systems  are  capable  of  executing. 
These  patterns  of  allowable  actions  are  referred  to  as  traces. 


Definition  2.4:  (A  trace  in  an  LTG)  Given  an  LTG  G  and  a  vertex  v  in  G,  tv  is  a 
trace  in  G  with  respect  to  v  such  that: 

If  tv  =  (ai)  i  =  0, l,2,...,n-l,  \/i,aieAG  is  a  sequence  of  actions,  then 
3  pv  =  (e0,e„e2,...en)  e  GA  (a{e0),a{e1),a{e2),...,a(ell))  =  tv 

We  use  the  notation  T(pv)  =  tvto  represent  the  trace  associated  with  the  path  pv . 

Depending  on  G,  there  may  be  many  different  traces  starting  at  a  given  vertex  in  G.  In 
fact,  since  our  definition  of  a  directed  path  allows  for  vertex  and  edge  repetitions,  there 
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could  be  infinitely  many  such  traces  if  G  contains  a  cycle.  Using  Definition  2.3  we 
construct  the  set  of  traces  that  a  Labeled  Transition  Graph  will  “accept”. 

Definition  2.5:  (A  trace  set  of  an  LTG)  Given  an  LTG  G  let  T(G)  represent  the 

set  of  all  traces  in  G  with  respect  to  the  start  vertex  v0 . 

T(G)  <=  AG  ,  where  AG  represents  the  Kleene  closure  of  the  set  of  actions  for  LTG 

G.  Since  a  trivial  walk,  i.e.  a  walk  of  length  0,  exists  in  any  graph  [7],  we 
conclude  that  the  empty  sequence  will  be  a  part  of  any  system  modeled  by  an 
LTG. 

One  type  of  relationship  we  can  establish  between  graphs  is  trace  equivalence.  Labeled 
Transition  Graphs  are  trace  equivalent  if  they  have  the  same  trace  sets. 


Definition  2.6:  (Trace  equivalence  between  LTGs)  Given  two  labeled  transition 
graphs  Gt ,  G2 

trace 

G1  =  G2^T(Gl)  =  T(G2) 

Informally  we  say  that  trace  equivalent  LTGs  are  capable  of  carrying  out  the  same 
sequence  of  actions.  Consider  for  instance  the  three  labeled  transition  graphs  below. 

G,\  |  v0  |  G2 :  i  v0  |  G3  :  \  v0  | 


Figure  2.  Three  Trace  Equivalent  Labeled  Transition  Graphs 

These  three  Labeled  Transition  Graphs  are  all  trace  equivalent. 
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2. 


Labeled  Transition  Graph  Morphisms 


In  graph  theory  one  fundamental  equivalence  relationship  among  graphs  is  called 
an  isomorphism.  An  isomorphism  consists  of  a  bijective  mapping  between  the  vertices  of 
two  graphs  such  that  each  edge  in  one  graph  corresponds  to  an  edge  in  the  other  graph 
and  vice  versa.  This  type  of  morphism  is  far  too  restrictive  to  be  useful  when  trying  to 
compare  systems  that  are  modeled  using  Labeled  Transition  Graphs.  We  would  like  to 
compare  systems  that  have  different  numbers  of  system  states  or  transitions  between 
states.  Systems  that  are  functionally  equivalent  could  end  up  having  different  graph 
representations. 

Another  method  to  determine  whether  two  Labeled  Transition  Graphs  are 
equivalent  was  developed  by  Milner  [4]  for  use  in  CCS.  This  approach  has  proven  to  be 
very  useful,  and  was  used  extensively  throughout  Bibighaus’  work.  This  system  of 
comparison  consists  of  two  relational  mapping  schemes;  one  called  simulation,  and  the 
other  referred  to  as  bisimulation.  Both  schemes  make  use  of  a  relation  R  on  the  vertices 
of  the  two  graphs.  Given  two  Labeled  Transition  Graphs  Gc  and  GA,  Rcz  (V0(  xf6J, 

such  that  R  is  Left-Right  total. 

Definition  2.7:  (Left-Right  total  mapping  condition)  Given  two  Labeled 
Transition  Graphs  GA,GC and  relation  R  between  the  vertices  of  G  f  and  Gc,  we 
say  that  R  is  Left-Right  Total  if: 

(Vv :  v  e  VGc  =>  3v':  v'e  VGa  a  (v,v')  g  R)  a  (W:  v'g  VGa  =>  3v :  v  g  VGc  a  (v',v)  g  R) 
From  here  on,  unless  we  say  otherwise,  we  assume  that  all  such  relations  are  Left- 
Right  total. 

Definition  2.8:  (Simulation  between  LTGs)  Given  two  graphs  Gc ,  GA  ,  and  a 

relation  R  c(Fe  xfG  )  we  say  that  Gc  simulates  GA  under  R  and  write 
Gc<rGa  if: 

Vvj,v2  g  VGc  AaeAGc  3e  =  (v1,a,v2)AeeEG3vl',v2'eVGA  3  e'=  {v,' ,a,v2')  a  e'G  EGa 
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Definition  2.9:  (Bisimulation  between  LTGs)  Given  two  graphs  Gc ,  GA  ,  and  a 

relation  R  c=  (VGc  xVG  )  such  that:  Gc  E  R  G  t  a  Ga  ^  Gc ,  we  say  that  Gc  and 
Ga  are  bisimilar  and  write:  Gc  «flG4 . 

Here  we  adopt  Bibighaus’  framework  [2]  and  stipulate  that  the  set  of  actions  in  the  two 
graphs  be  the  same.  This  simplifies  our  model  and  requires  only  a  relation  on  the  vertices 
of  the  two  graphs.  In  a  simulation  Gc  RG4 ,  we  map  the  vertices  from  VG<  to  vertices  in 

VGa  in  such  a  manner  that  we  ensure  all  labeled  edges  in  EG<  correspond  to  labeled  edges 
in  EG  .  In  other  words,  R  induces  a  relation  c:  (EG  ,  EG  ) .  In  the  bisimulation 
Gc  ~rGa  ,  we  must  ensure  that  a  mapping  goes  in  both  directions.  This  requires  that  the 
bisimulation  relation  R  induces  relations  such  that  R  r  c:  (EGc,EG^ )  a  r-J^(eGj,eGc). 

Bisimulation  is  a  more  restricted  fonn  of  comparison  than  trace  equivalence. 
Bisimilar  systems  must  not  only  agree  on  what  they  do,  but  also  on  how  they  do  things 


«3 

o  6 

Gy 

Figure  3.  Comparison  Of  Equivalence  Relationships  (Modified  From  [2]) 

The  three  graphs  GPG2 ,  and  G,  shown  in  figure  3  are  all  trace  equivalent,  yet  only  G,  and 

G2  are  bisimilar.  Moller  and  Smolka  [8]  rather  elegantly  explain  bisimulation  in  terms  of 

a  game  involving  two  processes  (P,  Q),  whereby  two  players  alternate  moves  in  the 

following  manner:  Player  1  chooses  a  transition  of  one  of  the  processes,  and  player  2 

must  subsequently  respond  by  selecting  an  identical  transition  in  the  other  process.  Then 
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they  reverse  roles  and  player  2  gets  to  choose  a  transition  in  either  P  or  Q,  and  player  1 
must  find  an  identical  transition  in  the  other  process.  If  one  of  the  players  is  ever  unable 
to  respond  to  the  adversary’s  move,  he  loses  the  game.  In  this  case  the  systems  are  not 
bisimilar. 

Lemma  2.1:  Bisimulation  implies  trace  equivalence. 

trace 

Gx  ~RGy  ^  Gx  =  Gy 

Proof:  Suppose  by  way  of  contradiction  that  there  are  two  Labeled  Transition 
Graphs  Gx  and  Gy  such  that  Gx  «  Gy  under  the  relation  R  and  T(GX)  A  T(Gv) . 

From  Definition  2.9  we  know  that  Gx  <RGyAGv<R^Gx.  Since 
T(GX)  A  T(  Gv ) ,  there  must  be  at  least  one  trace  t  in  one  graph  that  is  not  present 
in  the  other.  Without  loss  of  generality,  let  t  eT(Gx)  At  <£  T(Gy )  .  By  Definition 
2.3,  t  =  (a\.  Since  t  £T(Gy),  there  is  at  least  one  action  a,  e  an  such  that  the 
relation  R  is  unable  to  ensure  R  cz  (EG  ,  EG  ) .  This  however,  this  violates  the 

bisimulation  conditions  set  forth  in  Definition  2.9,  which  in  turn  implies  that 
—i(Gx~rGv).  Since  this  contradicts  our  initial  assumption,  we  conclude  that 

trace 

G  ~PG  ^G  =  G  . 

x  R  y  x  y 

Often,  bisimulation  is  the  preferred  method  of  testing  whether  two  graphs  are 
equivalent.  Bisimulation  is  not  only  more  discriminating,  but  surprisingly  has  been 
shown  to  be  less  computationally  complex  than  trace  equivalence.  Paige  and  Tarjan  [9] 
have  developed  an  algorithm  for  detennining  whether  or  not  two  systems  are  bisimilar 
that  runs  in 0(m  log/?)  time,  where  n  is  the  number  of  states  and  m  is  the  branching 
factor.  Moller  and  Smolka  [8],  on  the  other  hand,  have  shown  that  under  certain 
conditions  proving  trace  equivalence  is  PSPACE-compete. 
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3.  Equivalence  Classes  of  Labeled  Transition  Graphs 

We  now  show  that  bisimulation  forms  an  equivalence  relation  on  a  set  of  Labeled 
Transition  Graphs. 

Lemma  2.2:  Bisimulation  is  reflexive 
Proof:  From  Definition  2.9  we  have  that: 

Ga*Ga^(Ga<  rGa)a(Ga<rAGa) 

Letting  R  =  I ,  where  I  is  the  identity  relation  and  7  1  =  I ,  yields: 

(G,< 

Lemma  2.3:  Bisimulation  is  symmetric 

GA  *rGb  <=>  Gb  ~ r-\Ga 

Proof:  Suppose  Ga  ~r  Gb  .  Then  by  Definition  2.9  we  have  that  G4^>  RGB  and 
Gb  ^  ,  Ga  .  Furthermore,  in  order  to  have  Gg  ~R.  G  ,  there  must  exist  a  relation 
R'  such  that  GB  S5  R  GA  and  GA  ^  R,  GB  .  Letting  R'=  R  1  we  get  GB  S5  R  ,  GA  and 
since  (7?')  1  =  (TC1)-1  =R  we  also  have  GA  ^  R GB . 

Lemma  2.4:  Bisimulation  is  transitive 

(G,  ~rGb)  a  (Gb  Gc)  =>  37 1  3  Ga  **Gc 

Proof:  Suppose  we  have  Ga  ~Ri  Gb  ,  under  relation  Rx ,  GB  ~R  Gc ,  and 

ga*rgc.  Then  according  to  Definition  2.9  we  have: 

(Gj?  S  .  GJ  a  (G,  <  ^  Gb)  and  (Gc  <  .  GB)  a  {Gb  <  .  Gc) 
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Since  the  bisimulation  relations  are  by  definition  Left-Right  total,  they  can  be 
composed.  Letting  =  R2  °  R}  and  R.  =  R[l  °  R, ' ,  and  using  these  new  relations 


we  then  have  :  ( Gc  ^  R}  GA )  a  (G4  ^  R_,  Gc )  ,  which  by  Definition  2.9  means  that: 

G A  ~rGc.  We  have  therefore  demonstrated  that: 

(G4  *rGb)  a  (Gb  *rGc)  =>  3R  9  Ga  *rGc  . 


Theorem  2.1:  Bisimulation  forms  an  equivalence  relation  on  a  set  of 
Labeled  Transition  Graphs 

Proof:  This  follows  directly  from  Lemma  2.2,  Lemma  2.3,  and  Lemma  2.4. 


An  important  consequence  of  Theorem  2.1  is  that  a  set  of  Labeled  Transition 
Graphs  can  be  partitioned  into  equivalence  classes,  which  we  call  Bisimulation  classes 

and  denote  by  G  .  Every  pair  of  graphs  in  a  bisimulation  class  are  bisimilar  and  any  two 
graphs  in  different  bisimulation  classes  are  not  bisimilar.  Therefore,  if  we  wish  to  prove 
that  a  given  graph,  not  contained  in  a  particular  bisimulation  class,  is  bisimilar  to  a 
specific  graph  within  that  bisimulation  class,  it  is  sufficient  to  prove  that  it  is  bisimilar  to 
any  graph  in  the  bisimulation  class.  This  turns  out  to  be  a  very  useful  property  since  it 
oftentimes  can  be  very  difficult  to  prove  bisimilarity  between  graphs  that  have  greatly 
varying  degrees  of  complexity.  We  may  be  able  to  simplify  our  proof  by  moving  laterally 
rather  than  horizontally  along  the  complexity  scale,  and  instead  attempt  to  prove 
bisimilarity  between  graphs  that  contain  similar  degrees  of  complexity. 

In  this  chapter  we  briefly  discussed  Process  Algebras  and  explained  why  we  have 
chosen  to  work  with  the  operational  semantic  framework  of  Bibigihaus.  We  then 
introduced  the  notion  of  a  Labeled  Transition  Graph.  This  discussion  covered  the  notion 
of  a  trace  in  a  Labeled  Transition  Graph,  as  well  as  when  two  LTGs  are  considered  to  be 
trace  equivalent.  Subsequently  we  introduced  simulation  and  bisimulation  morphisms 
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between  Labeled  Transition  Graphs.  Finally,  we  proved  that  bisimulation  forms  an 
equivalence  relation  on  a  set  of  Labeled  Transition  Graphs,  and  discussed  how  this  fact 
could  be  useful  when  trying  to  establish  a  bisimulation  relation  between  two  Labeled 
Transition  Graphs. 
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III.  ABSTRACTION  AND  REFINEMENT 


A.  OVERVIEW 

In  this  chapter  we  introduce  the  concepts  of  abstraction  and  refinement  and  show 
how  they  are  used  in  Computer  Science.  We  then  discuss  basic  refinement  of  Labeled 
Transition  Graphs  as  well  as  two  other  forms  of  refinement,  called  vertex  refinement  and 
edge  refinement. 

Computers  are  very  complex  machines.  In  order  to  study  them,  computer 
scientists  must  leverage  the  principle  of  abstraction.  Abstraction  is  a  process  whereby 
one  reduces  the  complexity  of  a  system  by  removing  detail.  By  doing  so,  one  can  focus 
on  a  few  important  concepts  at  a  time.  For  example,  the  typical  view  of  computer 
architecture  is  as  a  series  of  abstraction  layers  as  depicted  below: 


Level  6 

User 

Executable  Programs 

Level  5 

High-level  Language 

C,  C++,  Java,  Fortran 

Level  4 

Assembly  Language 

Assembly  Code 

Level  3 

System  Software 

Operating  System 

Level  2 

Machine 

Instruction  Set  Architecture 

Level  1 

Control 

Microcode  or  Hardwired 

Level  0 

Digital  Logic 

Circuits  ,  Logic  Gates  etc 

Table  1.  The  Abstract  Layers  Of  A  Computer  System  (Modified  From  [10]) 

Each  of  the  above  layers  represents  a  particular  view  of  the  system.  Given  a  particular 
sequence  of  actions,  we  can  model  what  is  taking  place  at  each  of  these  layers  with  a 
Labeled  Transition  Graph.  An  abstraction  is  a  mapping  between  two  representations 
where  we  strip  away  extraneous  details  from  one  system,  retaining  only  the  properties 
pertinent  to  a  higher  level  view  of  the  system.  The  inverse  of  this  mapping  is  referred  to 
as  a  refinement.  In  tenns  of  Labeled  Transition  Graphs,  we  add  detail  in  the  form  of 
vertices  and  edges  to  a  graph  to  obtain  a  more  detailed  representation  of  the  system. 
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B.  BASIC  REFINEMENT 

Refinement  mappings  are  of  particular  interest  since  we  typically  build  computer 
systems  and  design  software  in  a  top  down  fashion;  beginning  first  with  an  abstract 
specification  and  then  developing  a  concrete  implementation.  [11]  Throughout  this 
process  we  need  to  ensure  that  our  implementation  preserves  all  of  the  desired  properties 
of  our  abstraction. 

Definition  3.1:  (A  Labeled  Transition  Graph  refinement)  Given  two  LTGs 
Gc  and  GA  we  say  that  Gc  is  a  refinement  of  G A  if  and  only  if  Gc  55  R  GA  . 

Theorem  3.1:  Graph  refinement  implies  trace  containment 

Vpc  e  P(GC)  3pA  e  P(GA )  3  T(pc)  =  T(pA)  a  Gc  |,c  <  RGA  \Pa 

Proof:  We  prove  this  using  induction  on  the  length  of  the  path.  Suppose  there 
are  two  Labeled  Transition  Graphs  Gcand  GA  such  that  Gc  ^  RGA  .  We  use  the 

notation  pA  and  pc  to  represent  directed  paths  in  G ,  and  Gc  respectively. 

Base  case:  Let  pc  e  P(GC)  be  a  directed  path  of  length  0.  Since  a  trivial  walk  is 
a  part  of  any  graph,  we  know  that  there  exists  a  path  pA  of  length  zero  in  G A  . 
From  Definition  2.4  we  know  that  this  implies  that  the  empty  trace  is  part  of  each 
graph’s  trace  set,  which  in  turn  means  that  the  theorem  is  true  for  the  base  case. 

Induction:  Let  |p|  represent  the  length  of  a  path  p.  We  then  assume 

that \/p,  \p\<n,  the  theorem  is  true.  Let  pc  e  P(GC) ,  |  Pc  |=  n  + 1 , 

pc  =<ex,e2,...,en,en+x> ,  and  Pc'=<e1,e2,...,en> .  Then  by  induction 
3pA'=<  e,'  ,e2'  ,...en'>  3  T(pA')  =  T(pc')  .  Let  en  =<vn,an,vn+l  >, 

<=< v„',a„,vj> ,  and  en+]  =  (vB+1  an+v vn+2) .  Since  Gc<  RGA,  3v„+2'e  VGa  and 
an  edge(vB+1',an+1  vn+2')  3  (vn+2,vn+2)  e  R  .  We  have  therefore  constructed,  a 
directed  path  PA  in  G A  such  that  T(pA )  =  T(pc )  . 
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This  theorem  tells  us  that,  given  two  graphs  G A  and  Gc ,  where  Gc  is  a  refinement 
of  Ga  ,  the  refinement  relation  R  ensures  that  G A  contains  all  of  the  directed  paths  of  Gc , 
and  hence  also  contains  Gc  ’s  trace  set. 

To  illustrate  abstraction  and  refinement  we  revisit  our  flashlight  LTG  example. 
We  begin  by  questioning  whether  or  not  our  model  was  correct.  We  correctly  identified 
the  binary  nature  of  the  illumination  property,  but  made  assumptions  about  the  flashlight 
battery  and  light  bulb.  Clearly,  actions  such  as  the  light  bulb  burning  out,  or  the  battery 
running  out  of  electrical  charge,  would  lead  to  failures.  In  this  case  the  flashlight  would 
remain  off,  regardless  of  how  many  times  we  pushed  the  “on”  button.  We  can  rectify  our 
oversight  by  adding  additional  states  and  actions  to  our  model  as  depicted  below. 


Push 


Figure  4. 


Flashlight  LTG  Refinements 
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In  G2  we  added  a  broken  filament  vertex  along  with  a  Fil. Break  action,  whereas 
in  G3  we  added  a  low  battery  vertex  and  a  Discharge  action.  In  G4  we  added  both  of 
these  new  states  and  their  associated  labeled  edges.  Insofar,  G4  is  an  abstraction  for  both 
G2  and  G3 ,  since  it  contains  all  of  the  directed  paths  and  thus  the  traces  of  G2  and  G3 . 
Likewise,  Gl  is  an  abstraction  of  the  three  other  graphs.  The  simulation  morphisms  map 
vLowBatt  and  vBroken  vertices  of  G2 ,  G3,  and  G4  to  the  vQff  vertex  in  G, .  Although  G, 

Filament 

contains  the  same  vertices  as  our  initial  model,  it  now  has  quite  a  few  additional  labeled 
edges.  These  labeled  edges  account  for  all  of  the  situations  we  failed  to  consider  in  our 
original  model. 

It  may  initially  seem  rather  odd  that  G,  is  non-detenninistic  with  regard  to  the 
Push  transition  from  the  vQff  vertex.  Yet,  from  a  practical  standpoint  this  is  not  so 

surprising.  Anyone  who  has  ever  attempted  to  use  an  old  flashlight,  can  attest  to  the 
uncertainty  regarding  what  effect  switching  it  on  will  have.  From  a  theoretical  point  of 
view  however,  one  will  notice  that  G4  is  deterministic  while  still  being  able  to  model  the 
desired  property.  Oftentimes,  as  in  this  case,  non-determinism  can  occur  in  a  model  due 
to  under  specification. 

We  proceed  by  proving  the  following  lemmas  and  theorems  regarding  simulation 
and  refinement: 

Lemma  3.1:  Simulation  is  reflexive. 

Ga~  jGa=>  Ga  ~,ga 

Proof:  Let  G4  be  a  Labeled  Transition  Graph  and  let  7  be  the  identity  mapping 
on  the  vertices  of  GA  .  Then  we  have:  GA  ^  7  GA  .  Since  7  1  =  7 ,  we  also  have: 

Ga  Pz  r,  Ga  .  Applying  Definition  2.9  yields  GA  <  IGA=^>  G ,  ~,GA  . 
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Lemma  3.2:  Simulation  is  transitive. 


(GBZSlGA)A(GcZKtGB)=>lR33GcZRiGA 

Proof:  Suppose  we  have  three  Labeled  Transition  Graphs  GA,GB ,  and  Gcsueh 
that  (Gb  5;  Ri  Ga)  a  (Gc  ^  ^  Gb)  .  R3  such  that  R3=R2°Rl.  If 
(vva,v2)  e  Eg  then  there  exists  v-fvfe  LG  such  that  (vl,vl'),(v2,v2')  e  R2,  and 
(Vj ',a,v2')  e  EGb  .  Likewise,  we  have  (v1',v1"),(v2',v2")  e  R3,  where 

v1",v2"e  VGa  .  Therefore  by  the  relation  composition  there  exist  a  relation  R3 
such  that  R3=R1°Rl  and  (v1,v1"),(v2,v2")  e  i?3,  and  (vj",a,v2")  e  EG  and  we 
have  shown  that  simulation  is  transitive. 

Theorem  3.2:  Simulation  forms  a  preorder  on  a  set  of  LTG  refinements 
Proof:  This  follows  directly  from  Lemma  3.1,  and  Lemma  3.2. 


C.  OTHER  FORMS  OF  REFINEMENT 

Other  forms  of  refinement  have  been  suggested.  In  this  section  we  present  two  of 
the  most  notable  among  them. 

1.  Vertex  Refinement 

Derrick  and  Boiten  [12,  13]  introduced  weak  refinement.  Here  internal  (hidden) 
transitions  are  added  to  an  abstract  graph.  We  refer  to  this  type  of  refinement  as  Vertex 
Refinement. 

Definition  3.2:  (Vertex  refinement)  Given  two  Labeled  Transition  Graphs 
Ga  and  Gc ,  such  that  there  exists  a  vertex  veVGf  and  v  is  refined  by  a  set  of 

vertices  V  c  VGc  ,  we  write  V  <  V  . 
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To  illustrate  the  process,  consider  the  vertex  v0ff  in  the  Labeled  Transition  Graph 
Gj  from  Figure  4.  Here  the  actions,  Fil.  Break,  and  Discharge,  do  not  result  in  a 
change  of  state.  The  LTG  G4  on  the  other  hand,  captures  internal  changes  in  vQ„  caused 
by  these  actions  by  adding  two  additional  vertices  vlowBatt  and  vBroken  .  These  new  states 

Filament 

both  map  to  the  vQff  vertex  in  G,  as  depicted  in  the  figure  below. 


Figure  5.  Vertex  Refinement 


2.  Edge  Refinement 

Additionally,  Derrick  and  Boiten  [12,  13],  along  with  Bossi,  Piazza  and  Rossi 
[14]  developed  a  refinement  process  known  as  Non- Atomic  or  Action  refinement.  Here  a 
single  labeled  edge  is  replaced  by  a  Labeled  Transition  Graph.  We  refer  to  this  type  of 
refinement  as  Edge  refinement. 

Definition  3.3:  (Edge  refinement)  Given  two  Labeled  Transition  Graphs 
Ga  and  Gc ,  such  that  there  exists  an  edge  e  e  EGa  and  e  is  refined  by  Gc  we  write 

Gc<e. 

An  example  of  when  such  a  refinement  may  be  appropriate,  can  be  found  in  the  modeling 
of  the  dialing  of  a  phone,  as  depicted  by  the  LTGs  GA  and  Gc  in  Figure  6. 
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In  the  abstract  Labeled  Transition  Graph  GA  we  model  the  dialing  process  with  a  single 
edge  labeled  Dial  numbers,  whereas  the  refinement  Gc  displays  all  of  the  edges  and 
vertices  associated  with  the  process  of  dialing  the  number.  This  edge  refinement  requires 
a  mapping  relation  between  the  labeled  edge  in  G  A  and  a  sub-graph  ofGc .  Using  the 
notation  for  a  transition  introduced  in  Definition  2.1,  and  representing  each  of  the  seven 
digit  selection  actions  as  digit t ,  where  digit t  e  {0, 1,  2,...,  9}  and  i  e  {1,  2,  3. ..,7}  ,  we  write 
the  transition  or  sequence  of  transitions  leading  to  vertex  v7  for  the  respective  LTGs  as: 

Dial  numbers(v0 )  =  v1 

digit  7  {digit  6  {digits  {digit  4  {digits  {digit,  {digit  x  (v0 )))))))  =  v7 

Doing  so  allows  us  to  compare  the  transition  in  GA  with  the  edge  refinement  in  Gc ,  and 
aids  in  our  reasoning  about  the  vertices  of  the  two  representations.  Both  models  contain 
v0and  v7 .  The  initial  vertex  v0  contains  no  information  concerning  the  phone  number, 
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whereas  v7  includes  all  seven  digits  of  the  phone  number.  In  GA  the  action  dial  numbers 
on  v0  leads  directly  to  v7 .  This  is  analogous  to  hitting  speed  dial  or  re-dial  on  your  phone. 
On  the  other  hand,  in  Gcthe  digits  must  be  entered  one  at  a  time.  Consequently,  the 

intennediate  vertices  contain  successively  more  information  regarding  the  phone  number 
to  be  dialed.  For  instance: 

digit  \(v0)  =  Vj ,  where  v,  contains  the  first  digit  of  the  phone  number. 
digit 2{digitx(y0))  =  v2 ,  where  v2  contains  the  first  two  digits  of  the  phone  number. 
digit-,  ( digit2  ( digit  x  ( v0 ) ) )  =  v3 ,  where  v3  contains  three  digits  of  the  phone  number. 
Etc... 

Furthermore,  it  now  becomes  clear  that  the  composition  of  the  actions  in  Gc  results  in 
the  same  outcome  as  the  dial  numbers  action  in  GA ,  and  that  the  intermediate  states  in 
Gc  are  internal  to  the  v7  state  in  GA .  What’s  more,  although  this  example  was 

deterministic,  it  is  worth  noting  that  if  the  transition  in  the  abstract  Labeled  Transition 
Graph  is  non-deterministic  one  or  more  of  the  intermediate  transitions  in  the  edge 
refinement  will  be  non-deterministic  as  well. 

D.  SUMMARY 

In  this  chapter  we  presented  abstraction  and  refinement  in  the  general  context  of 
Computer  Science,  and  then  more  specifically  in  tenns  of  Labeled  Transition  Graphs. 
We  first  explained  that  abstraction  is  important,  particularly  when  dealing  with  complex 
systems,  because  it  allows  us  to  factor  out  extraneous  information  and  focus  on  a  small 
number  of  properties  of  interest.  We  then  discussed  the  top  down  approach  typically 
seen  in  secure  hardware  and  software  development,  and  emphasized  refinement’s  role  in 
ensuring  that  implementations  retain  the  desired  properties  stipulated  in  the  abstract 
design  specification. 

Subsequently  we  defined  Labeled  Transition  Graph  refinement  as  follows: 
Given  two  Labeled  Transition  Graphs  GA  and  Gc ,  if  Gc  is  able  to  simulate  GA  we  said 
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it  was  a  refinement  of  GA .  Moreover,  we  showed  that  if  this  was  the  case,  all  of  the 
traces  in  Gcwill  be  contained  in  GA .  Additionally  we  proved  that  a  set  of  Labeled 

Transition  Graph  refinements  forms  a  preorder.  Finally,  we  introduced  two  special  types 
of  refinements  called  Vertex  and  Edge  refinements. 
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IV.  DOUBLY  LABELED  TRANSITION  GRAPHS  (DLTGS) 


A.  INTRODUCTION 

In  this  chapter  we  introduce  Doubly  Labeled  Transition  Graphs  and  a  new 
concept,  Modal  Constrained  Bisimulation.  We  provide  an  example  using  the  non¬ 
interference  security  property  that  shows  that  Labeled  Transition  Graphs  are  inadequate 
when  trying  to  ensure  that  a  refinement  preserves  all  of  the  desired  security  properties. 
Finally,  we  prove  some  properties  related  to  Modal  Constrained  Bisimulation,  and 
discuss  edge  refinement  in  Doubly  Labeled  Transition  Graphs. 

As  we  have  seen,  an  abstract  Labeled  Transition  Graph  defines  an  upper  bound  on 
a  set  of  LTG  refinement  behaviors.  The  simulation  morphism  between  the  graphs 
ensures  that  any  trace  in  a  refinement  of  the  graph  is  also  present  in  the  abstract  graph. 
Thus,  no  new  behavior  is  introduced  during  the  refinement  process.  Based  on  Larsen[15] 
and  Dams’  work  [16],  Schmidt  [5]  and  Bibighaus  [2]  subsequently  extended  Labeled 
Transition  Graphs  by  introducing  an  additional  modal  edge  labeling  scheme.  In  this 
Doubly  Labeled  Transition  Graph  (DLTG)  model,  each  edge  contains  an  additional  must 
□  ,  or  may  0  label. 


Definition  4.1:  (Doubly  Labeled  Transition  Graph)  Let  G  be  a  directed  labeled 
transition  graph  defined  by  the  n-tuple  G  =  (V,A,  E . ;  ,Ea,v0^  where 

V  is  a  set  of  vertices  called  states. 

A  is  a  set  of  action  labels. 

E °  is  the  set  of  doubly  labeled  “May”  edges. 

E[]  is  the  set  of  doubly  labeled  “Must”  edges,  such  that  Ea  c:  E ° 

v0  is  a  distinguished  start  vertex  such  that  v(l  e  V  . 


23 


We  introduce  the  second  set  of  Must  and  May  labels  to  help  us  distinguish 
between  edges  in  the  abstract  graph  that  must  be  present  in  any  refinement,  and  edges  in 
the  abstract  graph  that  may  or  may  not  exist  in  a  refinement.  For  the  sake  of  consistency, 
we  require  that  a  “Must”  edge  also  is  considered  to  be  a  “May”  edge:  That  is  to  say,  if  an 
edge  is  labeled  with  the  Must  element  it  is  also  included  in  the  May  elements  .  We  use 
the  following  shorthand  notation  to  denote  an  edge  of  a  DLTG  G(Vj ,a,ju,v2),  where 
v1,v2eVG  ,  a  <eAg,  and  /u  e  {0,  □} 


B.  MODAL  CONSTRAINED  BISIMULATION  (MCB) 

We  leverage  this  new  ability  to  distinguish  between  edges  in  a  graph  by  defining  a 
new  type  of  graph  morphism  between  DLTGs. 

Definition  4.2:  (The  Must  subgraph  of  a  DLTG) 

Given  a  Doubly  Labeled  Transition  Graph  G.  Let  Gl]  denote  the  induced 
subgraph  with  respect  to  the  □  labeled  edges  of  G. 

Definition  4.3:  (The  Must  image  in  a  DLTG  refinement) 

Given  two  Doubly  Labeled  Transition  Graphs  G  A  and  Gc ,  where  G[]  and  G’j1 
represent  the  respective  Must  Subgraphs  of  GA  and  Gc ,  and  R  is  a  relation  such 
that  Gc  ^  rGa  .  We  denote  the  subgraph  of  G[g  that  is  restricted  to  the  image  of 
Ga  under  the  relation  mapping  R  1  as:  G’j1 |  ,  Q  . 

Definition  4.4:  (Modal  Constrained  Bisimulation  between  DLTGs) 

If  there  exist  two  Doubly  Labeled  Transition  Graphs  G A  and  Gc  and  Left-Right 

total  relation  iic(fG  x  VG  ) ,  such  that:  Gc  ^  RGA  and  G1,1  »flG£ 1  .  t]  ,  then 

there  exists  a  Modal  Constrained  Bisimulation  morphism  between  the  two  graphs, 
and  we  write  GA  |~  R  G(  . 
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This 


Note  that  Modal  Constrained  Bisimulation  only  requires  that  G[\  ~RG[):  |  ,  D 

R  <*E GA ) 

allows  for  additional  □  (Must)  labeled  edges  to  be  added  to  the  refinement.  Since  we 
have  Gc^>  RGA,  these  added  n  edges  will  map  back  to  the  abstract  graph  under  the 
relation  R.  However,  it  is  not  required  that  they  map  to  the  G[]  subgraph.  In  the  case 
where  no  additional  D  edges  are  added  to  the  refinement,  or  the  additional  D  edges  that 
are  added  all  map  to  GA ,  the  situation  is  simplified  and  we  then  end  up  with  G(  C  R  GA 
andGj^Gj. 

Modal  Constrained  Bisimulation  not  only  guarantees  that  any  trace  in  a  refinement  is 
present  in  the  abstract  graph,  but  it  also  ensures  that  all  of  the  must  transitions  stipulated 
in  the  abstract  graph  are  faithfully  replicated  in  the  refinement.  The  Doubly  Labeled 
Transition  Graphs  along  with  Modal  Constrained  Bisimulation  establishes  a  lower  bound 
on  the  set  of  behaviors  of  a  graph  refinement.  In  fact,  Schmidt  [5]  has  shown  that  Doubly 
Labeled  Transition  Graph  refinements  are  capable  of  preserving  a  larger  subset  of 
properties  than  Labeled  Transition  Graphs. 

C.  THE  MOTIVATION  BEHIND  DLTGS 

To  highlight  the  benefit  of  using  Doubly  Labeled  Transition  Graphs,  we  present 
the  following  example  from  Dinolt  [17]:  Suppose  we  wanted  to  develop  a  Multi-Level 
Computer  System  (MLS)  that  is  capable  of  supporting  both  high  and  low  level  users. 
Then  in  order  for  the  system  to  be  secure,  we  must  ensure  that  low  users  are  never  given 
access  to  high  level  data,  nor  are  even  aware  of  the  fact  that  high  level  instructions  are 
being  carried  out  on  the  system.  In  other  words,  from  a  low  level  user’s  perspective,  we 
require  that  the  system  behave  exactly  like  a  low  level  system.  In  essence  then,  we  have 
defined  a  non-interference  security  property  that  we  want  our  system  to  uphold. 

We  can  model  such  a  system  using  Labeled  Transition  Graphs  by  adopting  a 
Goguen-Mesquer  type  Security  Model  [18].  We  start  with  a  set  of  high  and  low  users 
and  an  LTG  that  represents  our  MLS.  The  actions  of  the  graph  now  represent  commands 
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issued  by  users,  and  are  therefore  designated  as  either  high  h,  or  low  /.  Additionally,  we 
define  an  Out  function  that  returns  the  output  that  is  visible  to  a  user  after  a  set  of  actions 
has  been  executed  by  the  system.  Having  done  so,  it  now  becomes  necessary  for  us  to 
also  define  a  Purge  function  that  will  remove  all  of  the  high  actions  from  a  low  user’s 
visible  output.  Consider  the  traces  and  purged  traces  of  the  following  graphs: 

Go 

T(Gj)  =  {<>,<  /  >,<  l,h  >} 

Purge(T(Gl ))  =  {<>,<  />,</>} 

Figure  7.  A  Secure  Trace  With  Respect  To  Non-Interference 

The  graph  G]  is  secure,  since  the  Purge  of  each  of  the  traces  corresponds  to  low  actions 
and  each  of  these  low  actions  are  part  of  the  Trace  set  of  the  graph. 

G2: 

T(G2)  =  {<>,<  h  >,<  h,l  >} 

Purge(T(G2 ))  =  {<>,<>,<  /  >} 

Figure  8.  A  Non-Secure  Trace  With  Respect  to  Non-Interference 

However,  the  graph  G2 ,  is  not  secure.  Here  the  Purge  results  in  a  trace  <  /  > ,  that  is  not 
part  of  the  set  of  traces  in  G2 .  If  a  low  user  saw  this  trace,  he  or  she  could  sunnise  that  a 
high  action  had  taken  place.  To  remedy  the  situation  we  can  add  an  additional  edge 
(v0,/,Vj)  ,  as  depicted  in  the  graph  G3. 
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Figure  9.  Ensuring  Trace  Security  With  Respect  To  Non-Interference 

As  a  result  of  the  addition  of  this  edge,  all  traces  produced  by  the  Purge  function  now 
correspond  to  traces  in  G3  ’s  trace  set,  and  G3  is  now  secure. 

There  are  two  important  observations  to  be  made  from  this  example.  First  and 
foremost,  Labeled  Transition  Graphs  are  not  sufficient  when  it  comes  to  modeling 
security  properties.  Both  G,  and  G2  are  valid  refinements  of  the  Labeled  Transition 
Graph  G A  depicted  below, 


Figure  10.  The  Abstract  Non-Interference  Labeled  Transition  Graph 

yet,  G2  is  not  a  secure. 

Secondly,  in  order  to  guarantee  that  the  non-interference  property  is  retained  in 
LTG  refinements,  we  must  not  only  ensure  that  all  traces  of  the  refinement,  map  to  traces 
in  the  abstract  system,  but  we  must  also  ensure  that  a  subset  of  the  traces  of  the  Abstract 
graph  map  to  traces  in  the  refinement  graph.  This  is  exactly  what  Doubly  Labeled 
Transition  Graphs  allow  us  to  do.  In  this  case,  we  could  have  ensured  that  the  non¬ 
interference  security  property  was  upheld  by  using  a  DLTG  and  requiring  that  the  low 
transitions  are  designated  as  Must  transitions. 

Having  demonstrated  the  utility  of  Doubly  Labeled  Transition  Graphs,  we 
proceed  by  proving  some  properties  related  to  Modal  Constrained  Bisimulation. 
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Lemma  4.1  MCB  is  reflexive 


ga  K  ga 


Proof:  Let  G4  be  a  Labeled  Transition  Graph  and  let  /  be  the  identity  mapping 
on  the  vertices  of  GA  .  Then  according  to  Definition  4.3  we  have:  GA  ^  ,  GA  and 
G[]  ~,GlJ  r,  ,,  ■  However,  in  this  case  GA  |  ,  0  =,G[] ,  and  we  have  that 

G[]  ~,G[] .  Furthennore,  since  /  1  =  /  we  also  have  GA  ^  f  ,  GA  .  Applying 

Definition  2.9  yields  G4  |»/  G A  . 

Lemma  4.2  MCB  is  transitive 


(G,  K,  Gb)  a  (G,  K  Gc)  =>  3^  9  Ga  \*rGc 


Proof:  Suppose  we  have  three  Doubly  Labeled  Transition  Graphs GA,GB,  and 
Gc  such  that  GA  G H  and  GB  Gc .  Then  by  applying  Definition  4.4  we  have 
that: 


(GsSJiG,)a(G>'*,G>\j<1) 


(&c  ~  Gb)  a  ( Gb  ~rGc 


From  Definition  2.9  we  know  that: 

(G[l  ~Rp[l  l*ri(^))  =>  (G[l 

(G°  l^(^))  =>  (Gc  l^>(£gfl) 


<  G[]t  a  (G[]  <  G[] 

~  Rx  'AD  /X  \yJA  ~  WB 

<  G[]tAtG[]<  G[] 

~  r2  yjBJ  /x  '  'A;  ~  '-'c 


V(<) 


Using  reasoning  similar  to  that  in  Lemma  3.2,  we  proceed  as  follows:  Suppose 
Vj ,  v2 ,  v3 ,  v4  e  LC(  and  that  (vj ,  ax  O ,  v2 )  e  and  ( v3 ,  a2 ,  □  v4 )  e  £j[  Then  there 

exists  v1',v2',v3',v4'e  VGs  such  that^y/) ,  (v3,v3'),  (v2,v2'),  (v4,v4')  e  f?2, 
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(v3',v3),  (v4',v4)ei?21,  and  (v/,^  O,  v2')  e  EGg  a  (v3',a2,n,v4')  e  E%a .  Likewise, 


if  Vj',v2',v3',v4'e  VGg ,  then  there  exists  Vj",v2",v3",v4"e  VG  such  that 
(vj'.Vj")  ,(v3',v3")  ,(v2',v2")  ,(v4',v4")  e  Rt ,  (v3",v3') ,  (v4',v4")  e  /?, ,  and 
(v1",B1Ov2")e£e  A(v3",a2,  □,v4")  e  Eg  .  Therefore  by  the  relation 


composition  R3  =  R2°  R{  and  R3 1  =  1  °  i?2 1  we  have: 


(vi,v")  ,(v2,v2")  ,(v3,v3")  ,(v4,v4")  e  R3,(v3"  ,v3)  ,(v4"  ,v4)  e  R3' ,  and 


(Vj",cqO ,v2")<eEg  A(y3,a2,n,v4)&E"  .  Thus  we  have  shown  that: 


(A  S  «,  G,)  A  (Gj  G"  =>  Gc  KG,  . 


Theorem  4.1  MCB  forms  a  preorder  on  a  set  of  DLTG  refinements 
Proof:  This  follows  directly  from  Lemma  4. 1  and  Lemma  4.2 


D.  REFINEMENT  OF  DLTGS 

The  edge  set  of  a  Doubly  Labeled  Transition  Graph  contains  two  subsets, 
namely  E[]  and  EK> .  It  therefore  is  necessary  to  specify  a  couple  of  additional 
requirements  regarding  refinement  for  a  Doubly  Labeled  Transition  Graph. 

Definition  4.5:  (Basic  refinement  consistency  condition  for  DLTGs) 

Given  two  DLTGs  G,  and  Gcsueh  that  G4  \~lfGc ,  we  say  that  R  satisfies  the 
basic  refinement  condition  if :  Ve  e  EG  a  Ve'e  EGc  3(e',e)ei?=>  e'e  E[Gc 

The  basic  refinement  Consistency  Condition  for  DLTGs  ensures  that  all  “Must”  edges 
specified  in  the  abstract  graph  persist  throughout  multiple  refinements.  A  similar 
consistency  argument  exists  in  the  case  of  edge  refinement  and  results  in  the  following 
theorem: 
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Theorem  4.2  Edge  refinement  theorem. 

Let  Ga  |~/(| Gb,  e  e  E[] ,  GB  be  the  edge  refinement  of  e  in  GB,  then  E\\^ ,  =  Eq , 

(Every  edge  of  a  graph  that  edge-refines  a  “Must”  edge  of  a  DLT,  also  is  a 
“Must”  edge.) 

Proof:  In  addition  to  G4  \*R  GB ,  suppose,  by  way  of  contradiction,  that  we  have 
an  additional  DLTG  Gc  such  that  GB\^RGC  and  3e'e  E^,  Ae'<£  fsjfy .  Then 
according  to  Definition  4.4  either  3e'G  (e’,e")  e  R2  or  3  e"3  (e',e")  e  R2 .  If 
3  e”3  (e’,e”)  e  R2  then  there  can  not  exist  a  relation  such  that  G}]  «  RGC[]  |fi_1(£[]  ( . 

However,  since  GA  |~ff|  GB  and  GB  \~R_  Gc  we  know  from  Definition  4.4 
that G4l]  ~r  Gb1]  |  ,  D  and  GBl]  ~R  Gc[]  \  .  D  .  Furthermore  from  Lemma  4.2  we 

1  R\  \EGA  )  2  R2  \Ega  ) 

know  that  there  exists  a  relation  R  such  that  G ,  \~RGC ,  which  in  turn  means  that 

G4l]  ~  RGca  |^_i(£[]  y  However,  this  results  in  a  contradiction,  and  we  therefore 

conclude  that  in  order  to  have  a  sequence  of  DLTG  refinements  we  must  ensure 
that  every  edge  of  a  graph  that  edge-refines  a  “Must”  edge,  also  is  a  “Must”  edge. 

To  illustrate  the  point  further,  consider  the  DLTG  GA  of  a  soda  machine  borrowed  from 
Bibighaus’  work.1  This  simple  machine  accepts  a  coin  and  dispenses  a  soda.  The  coin 
edge  is  represented  by  a  0  edge,  because  as  many  of  us  unfortunately  know,  vending 
machines  won’t  always  accept  our  change.  The  soda  edge,  on  the  other  hand,  is  depicted 
as  a  □  edge.  This  is  because  once  the  soda  machine  has  accepted  payment;  we  want  it  to 
faithfully  dispense  a  soda  to  the  consumer.  Suppose  now  that  we  edge-refine  G4  as 

depicted  in  the  graph  GB  ,  but  that  we  inadvertently  classify  one  of  the  edges  as  a  o  edge. 

Since  the  refinement  process  is  not  complete  we  subsequently  create  another  graph 
Gc  that  includes  yet  more  detail.  However,  to  the  chagrin  of  our  grape  soda  patrons,  we 

1  See  Bibighaus  [2],  p.  6. 
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did  not  require  that  the  ” Dispense  Soda ”  edge  had  to  appear  below.  This  oversight  results 
in  a  failure  in  the  DLTG  refinement. 


Coin  O 


Coin  □ 
Return 


Figure  11.  DLTG  Edge  Refinements 


E.  SUMMARY 


In  this  chapter  we  introduced  Doubly  Labeled  Transition  Graphs  as  well  as  Modal 
Constrained  Bisimulation.  Using  a  non-interference  example  in  a  Multi-Level  System  we 
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showed  that  Labeled  Transition  Graphs  are  inadequate  when  it  comes  to  preserving 
security  properties  in  a  refinement.  Having  highlighted  the  need  for  Doubly  Labeled 
Transition  Graphs,  we  then  went  on  to  prove  that  Modal  Constrained  Bisimulation  forms 
a  Preorder  on  a  set  of  DLTG  refinements.  Finally  we  discussed  edge  refinement  in 
Doubly  Labeled  Transition  Graphs,  and  proved  that  every  edge  of  a  graph  that  edge 
refines  a  “Must”  edge  also  have  to  be  “Must”  edges. 
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V.  COMPOSITION  OF  DLTG  REFINEMENTS 


A.  INTRODUCTION 

In  this  chapter  we  discuss  composition  of  Labeled  and  Doubly  Labeled  Transition 
Graphs.  In  particular,  we  show  when  it  is  appropriate  to  compose  graphs,  and 
demonstrate  how  this  can  be  carried  out  using  a  new  join  operation  that  we  have 
constructed.  We  then  demonstrate  that  it  is  always  possible  to  join  DLTGs  refinements 
that  stem  from  a  common  abstract  graph.  Subsequently  we  prove  that  the  join  of  two 
DLTG  refinements  results  in  a  graph  that  is  a  refinement  of  the  abstract  DLTG,  and  also 
serves  as  an  abstract  graph  for  the  two  DLTG  refinements  from  which  it  was  made. 
Finally,  we  prove  that  a  set  of  DLTG  refinements  along  with  their  abstract  DLTG  fonn 
an  ideal. 

B.  THE  JOIN  OF  DLTG  REFINEMENTS 

Composition  of  Labeled  and  Doubly  Transition  Graphs  is  a  very  difficult  subject. 
While  much  has  been  written  concerning  Labeled  Transition  Graphs  and  their  usefulness 
in  developing  high  assurance  software,  far  less  research  has  been  carried  out  on  how  two 
compose  these  models.  One  of  the  principal  difficulties  when  composing  graphs  is  how 
one  evaluates  the  states  of  the  systems  and  then  determines  when  states  are  equivalent. 
Bibighaus  has  suggested  the  use  of  Doubly  Labeled  Kripke  Systems  and  Modal 
//  calculus  [2,  19,  20,  21].  In  Bibighaus’  scheme  each  state  of  the  system  is  defined  by  a 
set  of  predicates.  Using  ternary  logic,  it  is  then  possible  to  reason  about  the  properties  of 
each  state  and  then  define  a  product  operation  between  compatible  states  of  two  systems. 

We  suggest  a  different  strategy.  Our  method  of  composition  involves  graph 
refinements  that  share  bisimilar  subgraphs  as  well  as  a  common  abstract  graph.  By 
utilizing  the  simulation  relations  between  the  refinements  and  the  abstract  graph,  as  well 
as  the  bisimulation  relations  between  subgraphs  of  both  refinements  and  the  abstract 
graph,  it  is  possible  to  speak  of  equivalent  states  without  having  to  resort  to  the  use  of 
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state  predicates.  Moreover,  because  the  refinements  share  a  common  abstract  graph,  we 
can  verify  that  the  resulting  graph  is  well-formed  and  satisfies  the  desired  properties  of 
the  abstract  graph. 


Definition  5.1:  (Compatible  graph  refinements) 

For  all  graphs  GA,GB  and  Gcand  GA,GB ,  Gj.'such  that  G/;  R  G  , ,  G(  ^  R  G  , , 
and  such  that  their  respective  subgraphs  satisfy  GA~RpB~RGc'  under  the 
simulation  relations  R]  and  R2 ,  we  say  that  GB  and  Gc  are  join  compatible. 

Definition  5.2:  (The  join  of  compatible  graph  refinements) 

Given  three  Labeled  Transition  Graphs  GA,GB  and  Gcsueh  that  GB^RGA, 
GC^RGA,  and  GB  and  Gcare  join  compatible.  We  create  a  new  graph 
GbvGc  called  the  join  of  GB  and  Gc  as  follows: 

VGbvGc  =  {VG,  u  Vp"  u  V£} ,  where 
VJG°:  =  {VGb  \  {V3  3v’e  VGa,  a  (v,v’)  e  R,}} 

V£  =  {VGc  \  {v  3  3v'e  VG,  A  (v,v’)  e  R2}} 

Er  r  =  {Eloin  u  Ec°nnect  u  Er  ,  u  Ec°nnect  u  EJroin } ,  where 
EJ™  ={eeEGjt:77(e)AT(e)eVGJ:in} 

EG°Bmec‘  =  {e  e  EGb  :  77(e)  v  r(e)  e  Vg°b'”  a  3v'e  VG/  a  (77(e),  v')  e  /?,  v  (r(e),v')  e  /?,} 
Fc  ,  =  {e  e  Fgy  :  e  3  7(e)  a  r(e)  e  fGj,}  ,  and  EG°nnect  and  EG™  are  defined 

similarly  to  ^",,<?rtand  Ep . 
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Figure  12.  Relationships  Between  Join  Compatible  Refinements 


Theorem  5.1  (The  join  of  two  compatible  graphs  is  commutative) 

GbvGc  =  Gcv  Gb 

Proof:  Suppose  there  exist  three  Labeled  Transition  Graphs  GA,GB  and  Gcsueh 
that  Gb  55  Ri  Ga  ,  Gc  ^  R  G  , ,  and  GB  and  Gc  are  join  compatible.  Then 
Gb  v  Gc  =  Gc  v  Gb  follows  directly  from  Definition  5.2. 

Lemma  5.1  A  bisimulation  subgraph  for  a  set  of  refinements  and 
a  common  abstract  DLTG  always  exists. 

(Ga  K,Gb)  a  (Ga  \*rGc)  =>  3  GA'C  Ga,Gb 'c  Gb,Gc 'c  Gc  a  (G>,G>,  Gc') 
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Proof:  Suppose  there  are  three  DLTGs  such  that  GA  |~/(|  GB  and  GA  |~A,_  Gc . 

From  Definition  4.4  and  Lemma  4.2  we  have 


that:  3  Gl]4,GlB 


[] 


3G 


[] 


s  G[]  I 

B  V<£°  ) 


and 


Gl]  «  G[]  I 

~R2  ^ C  \r~'(E®a  )  ' 


a’  “2  y±JGA’  ■  Ga 

Moreover,  from  Theorem  2. 1  we  know  that  there  exists  a  relation  R  such  that: 


;[] 


;[] 


Therefore  we  conclude  that  a  bisimulation 


subgraph  in  the  form  of  the  abstract  “Must”  graph,  and  its  associated  images  in 
the  refinements  will  always  exist  for  a  set  of  refinements  and  a  common  abstract 
DLTG. 


Lemma  5.1  is  important  because  it  tells  us  that  we  are  always  able  to  carry  out  a  join  of 
two  DLTG  refinements  that  share  a  common  abstract  graph.  However,  in  order  for  the 
join  operation  to  be  us  useful,  we  need  to  prove  that  the  graph  we  obtain  from  the  join 
operation  will  retain  the  properties  of  the  abstract  graph. 

Theorem  5.2  The  join  of  two  refinements  of  an  abstract  DLTG  is  also  a 
refinement  of  the  abstract  DLTG. 


(Ga  K,Gs)  A  (G,  K2Gc)  =>  3R  9  Ga  V  Gc) 

Proof:  Suppose  we  have  three  DLTGs  GA,GB  and  Gcsueh  that  GH  S5  A|  G  , , 
Gc^  RlGA,  and GA\GB',GC'  are  their  respective  subgraphs  such  that 
Ga'~rGb'~rGc'  ■  Suppose  further  that  we  create  a  new  DLTG  G/;  v  Gr  .  Then 
in  order  to  prove  that  the  join  of  Gg  and  Gc  also  is  a  DLTG  refinement  of  G  t  we 
must  prove  there  exists  a  Left-Right  relation  R  such  that:  ( G/;  v  Gc)  5:  R G , ,  and 

<35  v  Gc)0  I 
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Part  1  Defining  R  : 


We  begin  by  defining  the  relation R  .  From  Definition  5.2  we  know  that  for  every 
vertex  v  e  VGbvGc  ,  either  v  eVGj,  or  ve  Vff"  or  ve  V('""‘ .  If  v  e  V0  ( . ,  then  clearly 

v  e  VG  (  ,  therefore  we  use  the  identity  mapping  I.  If  v  e  VG°‘"  then  there  exists  a 
vertex  v'e  VG  ^  (v,v')  e  R^  a(v',v)  e  Rf,  so  we  use  Rx .  Likewise,  if 
v  e  VGom  then  there  exists  a  vertex  v'eF6j  ^  (v,  v')  e  R2  a  (v',  v)  e  R2 1 ,  and  we  use 
R2 .  We  have  therefore  defined  R  and  shown  that  it  is  Left-Right  total. 

Parti  (GbvGc)<  rGa: 

Using  the  previously  specified  relation  R  we  now  show  that  for  every  edge  e  in 
GbvGc,  there  exists  a  corresponding  edge  e'  in  G  A  under  R.  From  Definition 

4.1  we  know  that  for  every  edge  e  in  GbvGc,  eeEf  or  e  e  Ea  . 

Moreover,  from  Definition  5.2  we  have:  e  e  Efm  or  e  <e  EGonnec' or  eeEr  ,or 

eeEG°nnect  or  e  e  EG’n .  Let  e  be  of  the  form  e  =  (v1 ,a,ju,v2),  where 

fi,v2  e  VGbvGc  ,  a  e  AGbvGc  ,  and  /u  e  {0,  □}. 

e  €  EJcoin : 

If  e  e  EG°‘n ,  then  By  Definition  5.2  vl,v2  e  VG°m  .  Since  we  have  GB  ^  /(|  GA  and  R 
is  such  that  Vv  e  VG°‘n  :  R  =  Rr  We  know  that  there  exists  a  corresponding  edge 
e’in  G4 . 

7-i  Connect  . 
e(E^GB 

If  e  e  EcG°fnect ,  then  By  Definition  5.2  y,  e  VG°in  a  v2  e  VG,  or  Vj  e  VG/  a  v2  e  Vff  . 
If  v,  e  Vf’f  a  v2  e  VGj,  then  using  R  we  know  3v/e  (v^v/)  e  R  =  , 
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(v2,v2)el  and  there  must  exist  a  corresponding  edge  e  in  GA.  If 

Vj  e  FG  ,  a  v2  e  Vq°'”  ,  then  similarly  using  R  we  know  that  ( v, ,  v, )  e  /  , 
3vj'e  (v2,  v2')  eR=Rl,  and  there  must  exist  a  corresponding  edge  e'  in  GA 
e  g  Er  , : 

If  e  e  Eg  ,  then  clearly  e  e  E(;  ^  Using  the  identity  mapping  prescribed  by  R  . 

T7  Connect  . 
c-  tz  LL  r'  • 

This  argument  is  similar  to  that  used  for  the  case  where  e  e  E^°"nect .  However, 
now  we  let  R=R2. 

e  e  Eloin : 

^ C 

This  argument  is  similar  to  the  one  used  for  the  case  where  e  e  EJJ'” .  However, 
in  this  case  R  =  R2. 

Part  3  Cj»,(G,vCc 

Using  R  1 ,  we  must  demonstrated  that  GlJ  ~R{GB  v  Gc)DUKD,-  From 

Definition  5.2  and  our  initial  assumptions,  we  know  that GA  is  a  subgraph 
ofG’/;  v  Gc .  Furthermore,  from  Lemma  5.1  we  know  that  either  G[j  is  a  subgraph 
of  GA  or  Ga  '  =  G[J  .  The  relation  R  dictates  that  R  =  I ,  which  means  that  R  =  / , 
since  /  =  7”1 .  If  G/=  G[j ,  then  (G/;  v  Gc)[]  |  ,  D  =  GA ,  and  under  the  identity 

mapping  /  it  is  clear  that  G4  «  G[J .  Let  R  |g[]  denote  the  restriction  of  the  relation 
R  to  the  subgraph  G[\ .  Then,  if  GA  is  a  subgraph  of  G  /  i?  |  a  =  I ,  and  we  have 
Ga£jGa  and  GA£  rlGA  ,  which  again  means  that  G1}  ~rGl]4  and  we  have 
shown  that  GA  ~R(GB  v  Gc)[]  (fll  } . 
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Having  proved  all  three  sub-proofs  using  R,  we  have  thus  demonstrated  that: 
(G,  |*  Gb)  a  (G>  Gc)  =*  Ga  Ip  (Gb  v  Gc) 


We  now  demonstrate  that  the  join  of  the  two  refinements  also  is  an  abstract  graph  for  the 
two  refinements  from  which  it  was  created. 

Theorem  5.3  The  join  of  two  refinements  of  an  abstract  DLTG  forms  an 
abstract  DLTG  of  the  two  refinements. 


(G 


A  K, Gb)  A  (Ga  kgc)  =>  1R,R' 3  (Gb  V  Gc)  | 


**Gba(G, 


B  V  Gc)  K'<W 


Proof:  Suppose  again  that  we  have  three  DLTGs  GA,GB  and  Gcsueh  that 

Gh  ^  Ga  ,  GC^RGA,  and  GA,GB',GC'  are  their  respective  subgraphs  such 
that  Ga'~rGb'~rGc'.  Suppose  further  that  we  create  a  new  DLTG  GB  v  Gc  .  In 
order  to  prove  ( GB  v  Gc)  |~A,G/;  we  must  show  that  there  exist  a  Left-Right 
relation  R  such  that:  GB  ^  R(GB  v  Gc )  and  (G H  v  Gc)[]  ~RGB  |  ,  n 

'•£l GrvGc ' 


Part  1  Defining  R  : 

From  Definition  5.2  we  know  that:  VGgvGc  =  {  VG  * ,  u  V/f"  u  F^""}  ,  where 
=  {yoB  \  3  3v’e  Vos  A  (v,V)  e  R,}} 

VoT  =  {VGc  \  {v  3  3v’e  VGa,  a  (v,v')  e  R2}} 

Furthermore,  we  know  that: 

Vvefi  :  v  e  Vc  ,  v  v  e  {Fr  \  Fr  ,} 

Mapping  from  VGg  to  VGgvGc  we  have  that: 

If  v  e  VGg  \  VGg,  =>  3v  e  VG°gn  3  (v,v)  e  / ,  so  we  use  /. 

Otherwise  if  veFCs,=>  3v'e  VG  ,  3  (v,v')  e  R, ,  and  we  use  . 


39 


Mapping  from  VGgvGc  to  VGg  we  have  that: 

If  v  e  VG°'"  =>  3v  e  {VGg  \  VGg.  9  (v,v)  e  I ,  so  we  use  I. 

If  veFc;=>  3v'e  VGg,  3  (v,v')  €  i?,”1 ,  so  we  use  /?,  1 . 

Finally,  if  v  e  then  we  must  prove  that  there  exists  a  corresponding  vertex  in 
VGg .  This  may  initially  seem  impossible  to  do.  However,  since  GB  G  R  G  t  and 
Gc  ^  A,_  G A  it  must  be  the  case  that  R{  and  R,  are  both  Left-Right  total. 

Therefore  we  have  that  VveVG°'”3 v'gVGa  3  (v,v')  e  R2  and 
We  VGg3v”e  VGg 3  (v',v")  e  i?,_1 .  Which  in  turn  means  that 

Vv  e  VG°in  3v"e  VGg  3  (v,v")  eR2°  R{1 . 

Part  2  Gb  ^  R ( Gb  v  Gc): 

Using  the  relation  R  outlined  above,  we  now  show  thatG/;  R(GB  v  Gc )  .  From 
Definition  4. 1  we  know  that  for  every  edge  e  in  GB  ,  e  e  EG  vee  EGg .  Moreover, 
eeEGg,o r  eeEGg\EGg,.  Let  e  be  of  the  form  e  =  (yx,a,ju,v2) ,  where 
fi,v2  e  VGbvGc  ,  aeAGg,  and//  e  {0,  □}. 
e  e  Er  , : 

From  Definition  5.2  we  know  that G('cGsvGf.  Furthermore,  we  know 
Ga'~Gb  ,  and  \/v  eVGg,  :R  =  R{.  Therefore, 

eeEGB'^(3vi’V2eVGA'3(Vl’Vl)’(V2’V2)eR  =  Rl  A 

(e'=(v>,//,v2')3e'e£G%£"j) 
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eeEr  \  Er  , : 

Go  Go 


If  e  e  EGb  \  EGb ,  then  according  to  definition  5.2  and  R,  there  are  three 
possibilities: 

i.  eeEGB  \EGb,  =>3(v1,v1),(v2,v2)e/Ael=(v1,a,//,v2)3ele^f 

e  e  ^  \  £Gb'  =>  3vi  e  C  A  3v2'e  Vg,'  3  ( vi’vi )  e  1  a  02,  v2')  e  i?!  A 
,  a ,  //,  v2 ' )  e  EG°nnect 

eeEaB  \EGB'^3vieVGy  A3heC3(v1’v1')e-/?1  a  (v2,v2)e/ A 


2. 


3. 


-»  Connect 


e  =  (Vi\a,/J,v2)  e  EGb 
Therefore  we  have  shown  that  Gs  ^  /;(GW  v  Gc) . 

Part 3  (GtvGc)1»tG,1|, „  : 

V  GgvGc  ’ 


Finally,  we  demonstrate  that  R  satisfies  (GB  v  Gc)u  «^GB  |ia 

R  (iGgvGc) 


From 


Definition  5.2,  our  initial  assumptions,  and  part  1,  we  know  that  G/ is  a  subgraph 
ofGw  vGc,  GB  is  the  subgraph  of  GB,  and  R  ensures  GA'~RGB  .  Furthermore, 
from  Lemma  5.1  and  Definition  4.3  we  know  that  either  GA'=GA  or  G1)  is  a 
subgraph  of  GA\  and  GB'=  G°  |  ,  „  or  G”  |  ,  a  is  a  subgraph  of  GB  . 

''CjGqvG(j  '  ''I~/GffvGc  ' 

Since  GA\*RGB  we  know  that  GlJ  ~RG^  |A,  If  GA'=G1},  then 

(Gb  v  Gc)[]  ~rG[b 1  ,  D  .  Let  R  1  |  n  denote  the  restriction  of  the  relation 

R  |£GgvGc)  °A 

R1  to  the  subgraph  GA.  Then  if  G[]is  a  subgraph  of  GA  ,  we  use  R  l  |  n  =  7, 
where  /  is  the  identity  function  and  also  have  ( GB  v  Gc)[]  »AGj]  |  ,  D  .  We 

R  (GsvGc) 

have  therefore  demonstrated  that  ( GB  v  Gc)[]  ~RGB  |  ,  a 

R  (£GBvGc) 


The  proof  that  ( GB  v  Gc)  |~A,Gr  is  carried  out  similarly,  and  is  therefore  omitted. 
Having  completed  the  last  sub-proof  we  have  proven  that: 

(G,  KG,)  a  (G,  KGc)  =>  3R,R'3  (Gb  v  Gc)  KG,  a  (G,  v  Gc)  K-Gc  )• 
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At  this  point,  it  would  perhaps  be  prudent  to  give  an  example  of  the  join 
procedure.  To  do  so,  we  return  to  the  refinement  example  used  in  Chapter  3.  Recall  that, 
after  realizing  that  our  initial  model  of  a  flashlight  was  incomplete,  we  created  several 
new  graphs.  One  of  them  took  into  account  the  battery  running  out  of  electrical  charge, 
while  another  considered  bulb  failure.  Finally,  we  created  a  graph  that  incorporated  both 
of  these  types  of  failures.  Although  it  wasn’t  mentioned  at  the  time,  what  we  actually  did 
was  to  join  two  of  the  graphs  and  create  the  graph  that  included  both  failures.  We  were 
able  to  do  this  because  the  two  refinements  and  the  abstract  graph  shared  the  same 
subgraph  which  included  the  vQff  and  vQn  along  with  two  Push  edges.  To  see  how  this 

was  carried  out  consider  Figure  13. 


•  Bisimilar  Subgraphs 


G3vG2: 


Push 
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Definition  5.3:  (An  ideal  [22]) 

A  non-empty  subset  /  of  a  partially  ordered  set  is  said  to  be  an  ideal,  if  the 
following  conditions  hold: 

1.  {a  e  I)  a  (b  e  I)  =>  (a  v  b)  e  I) . 

2.  (a  <  b)  a  (b  e  I)  =>  (a  e  I) 

Moreover,  (a  v  b)  e  /  =>  (a  e  I)  a  (h  e  /)  and  a<(av  b)  and  b<(av  b) 


Theorem  5.4  A  set  of  refinements  of  a  common  abstract  DLTG  forms  an 
ideal. 

Proof:  Let  /  represent  the  set  of  DLTG  refinements  of  a  DLTG  GA  .  From 
Theorem  4.1  we  know  that  MCB  Forms  a  Preorder  on  a  set  of  DLTG 
Refinements.  The  rest  of  the  proof  follows  directly  by  using  Lemma  5.1, 
Theorems  4.1,  5.2,  5.3,  and  applying  Definition  5.3. 

C.  SUMMARY 

In  this  chapter  we  discussed  composition  of  Labeled  and  Doubly  Labeled 
Transition  Graphs.  We  showed  that  two  refinements  that  share  a  common  abstract  graph 
as  well  as  a  subgraph,  can  be  joined  together  to  form  a  new  graph.  We  further 
demonstrated  that  it  is  always  possible  to  join  DLTG  refinements,  provided  they  share  a 
common  abstract  graph.  Subsequently  we  proved  the  graph  obtained  by  joining  two 
refinements,  not  only  is  a  refinement  of  the  abstract  graph,  but  that  it  also  represents  an 
abstract  graph  for  the  refinements  from  which  it  was  made.  Finally,  we  proved  that  the 
set  of  refinements  and  their  abstract  graph  form  an  ideal. 
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VI.  FUTURE  WORK 


In  this  thesis,  we  have  developed  a  method  of  composing  refinements  that  share  a 
common  abstract  graph.  One  fundamental  question  that  still  remains  is  how  to  go  about 
composing  graphs  that  do  not  share  a  common  abstract  graph.  We  believe  that  this  may 
also  be  possible  to  accomplish  using  the  join  method  we  developed.  In  order  to  do  so,  we 
suggest  first  attempting  to  join  the  two  abstract  graphs.  This  is  presumably  possible, 
since  composition  of  graphs  only  seems  meaningful  if  the  graphs  share  some  common 
structure;  albeit  perhaps  very  little.  Once  a  new  abstract  graph  has  been  achieved,  we 
hypothesize  that  the  joining  of  the  refinements  will  be  possible.  Should  this  prove  to  be 
the  case,  it  could  conceivably  also  be  possible  to  address  the  dual  concept  of 
decomposition  using  our  notion  of  graph  joins.  In  this  case  one  would  split  an  abstract 
graph  into  several  abstract  subgraphs  each  containing  common  structure.  Having  done 
so,  it  would  therefore  be  possible  to  join  their  respective  refinements  back  together  at  a 
later  stage  of  the  refinement  process. 
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VII.  CONCLUSION 


In  this  thesis  we  have  explained  the  work  of  Bibighaus  using  a  graph  theoretic 
framework.  We  began  by  defining  a  Labeled  Transition  Graph  along  with  the  notion  of 
traces  and  trace  equivalence.  We  introduced  simulation  and  bisimulation  morphisms 
between  graphs,  and  proved  that  bisimulation  not  only  guarantees  trace  equivalence,  but 
that  it  also  forms  an  equivalence  relation  on  a  set  of  Labeled  Transition  Graphs.  We  then 
discussed  the  notion  of  abstraction  and  refinement,  and  explained  why  refinement  is 
important  when  developing  high  assurance  software.  By  first  developing  an  abstract 
model  and  then  refining  it,  we  hope  to  achieve  a  concrete  implementation  that  upholds 
the  properties  set  forth  in  the  abstract  specification.  The  proof  that  this  is  in  fact  the  case, 
takes  the  form  of  a  simulation  mapping  between  the  refinement  and  the  abstract  graph. 
Using  an  example  involving  non-interference  we  then  demonstrated  that  the  Labeled 
Transition  Graph  model  is  inadequate  when  it  comes  to  ensuring  that  certain  security 
properties  are  retained  throughout  the  refinement  process.  This  in  turn  motivated  the 
introduction  of  Doubly  Labeled  Transition  Graphs.  By  specifying  which  edges  must 
occur  in  a  refinement  as  opposed  to  those  that  may  or  may  not  occur,  we  were  able  to 
define  a  new  mapping  scheme.  This  type  of  morphism,  which  we  refer  to  as  Modal 
Constrained  Bisumulation  (MCB),  guarantees  not  only  that  all  edges  of  the  refinement 
graph  map  to  edges  in  the  abstract  graph,  but  additionally  that  a  subset  of  the  edges  of  the 
abstract  graph  always  map  to  edges  in  the  refinement.  Accordingly,  Doubly  Labeled 
Transition  Graphs  coupled  with  the  use  of  the  Modal  Constrained  Bisimulation  mapping, 
ensures  that  we  are  able  to  retain  a  larger  set  of  properties  throughout  the  refinement 
process,  thereby  increasing  the  chances  that  our  concrete  implementation  will  confonn  to 
specifications. 

In  addition  to  explaining  Bibighaus’  work  we  contributed  to  the  subject  matter 
with  the  following  results:  First  we  proved  that  in  order  to  guarantee  that  a  sequence  of 
refinements  retain  the  desired  properties  of  the  abstract  graph  it  is  necessary  that  every 
edge  of  a  graph  that  edge  refines  a  “Must”  edge  of  a  DLTG,  also  is  a  must  edge. 
Secondly,  and  perhaps  most  importantly,  we  developed  a  form  of  graph  composition 
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called  the  “join”  of  two  graphs,  whereby  two  refinements  that  share  a  common  subgraph 
along  with  the  same  abstract  graph  are  joined  together  to  produce  a  new  graph.  As  a 
result  of  the  Modal  Constrained  Bisimulation  involved  in  the  DLTG  refinement  process, 
we  demonstrated  that  it  is  always  possible  to  carry  out  this  type  of  composition,  provided 
the  refinements  share  a  common  abstract  graph.  Furthermore,  we  went  on  to  prove  that 
the  resulting  from  the  join  operation  is  not  only  a  refinement  of  the  abstract  graph,  but 
that  it  also  represents  an  abstract  graph  for  the  refinements  from  which  it  was  created. 
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Figure  14.  DLTG  Refinements  and  Their  Abstract  DLT  Form  an  Ideal 


Finally  we  showed  that  a  set  of  DLTG  refinements  along  with  their  abstract  graph 
form  and  ideal. 

These  results  are  relevant  because  they  tell  us  that,  if  during  the  course  of  the 
development  process,  we  end  up  with  refinements  that  individually  capture  desirable 
aspects  of  a  system,  it  is  possible  to  combine  them  into  model  that  incorporates  all  of  the 
features  of  both  refinements,  while  still  satisfying  the  properties  of  the  abstract  model. 
Inasmuch,  we  hope  that  this  work  will  prove  useful  for  future  high  assurance  software 
development  processes  that  utilize  the  Doubly  Labeled  Transition  System  framework. 
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